Simple ELK setup
I have created the GROK expression for IIB server logs and it works fine.
Only problem is the output filter is not creating an index on elasticsearch its always defaults to logstash-* index
My plugin below this one does not create index
input { stdin { } }
filter {
grok {
match => {"message" => "^%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:hostname} %{USERNAME:user}?:%{LOGLEVEL:log_level}?|%{LOGLEVEL:log_level} %{PROG:program}[%{POSINT:pid}]?: %{CISCO_REASON:IIB_Version} (%{NOTSPACE:Broker}.%{NOTSPACE:Execution_Grp}) %{SYSLOG5424SD:Thread} (%{GREEDYDATA:msg}) %{NOTSPACE:errrCode}?: %{GREEDYDATA:message}"}
}
}
output {
elasticsearch {
hosts => ["127.0.0.1:9200"]
action => "index"
index => "Broker-%{+YYYY.MM.dd}"
}
stdout { codec => rubydebug }
}
This one works fine
input { stdin { } }
filter {
grok {
match => {"message" => "^%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:hostname} %{USERNAME:user}?:%{LOGLEVEL:log_level}?|%{LOGLEVEL:log_level} %{PROG:program}[%{POSINT:pid}]?: %{CISCO_REASON:IIB_Version} (%{NOTSPACE:Broker}.%{NOTSPACE:Execution_Grp}) %{SYSLOG5424SD:Thread} (%{GREEDYDATA:msg}) %{NOTSPACE:errrCode}?: %{GREEDYDATA:message}"}
}
}
output {
elasticsearch {
hosts => ["127.0.0.1:9200"]
}
stdout { codec => rubydebug }
}
Here is where I am stuck now.